With newly added harsher punishments for website administrators and internet service providers who disclose user data, Egypt’s cybercrime bill is poised for a vote in Parliament, pending official approval by the legislature’s Communication and Information Technology Committee (CITC). Disagreements over the bill’s remaining articles were ironed out in two meetings held last week, on April 10 and April 12, which were chaired by CITC head Nidal al-Saeed, and attended by a host of government officials that far exceeded the number of members of Parliament present.

The government-drafted bill — which was referred to the committee in early March — is composed of 45 articles and includes 29 penalties sentencing offenders to up to five years in prison and/or fines of between LE10,000 and LE20 million. Its significance stems from the fact that, if it is passed, it will be the first piece of legislation to regulate social media content and establish principles to confront cybercrimes, including piracy and the hacking of private and government websites. Most importantly, the bill would set a precedent in regulating web censorship.

MP attendance has been sparse in the several meetings held to settle on the language of the bill before submitting it for a general vote in Parliament.

The session on April 12 was yet another meeting that was held without many CITC members, with only three MPs present among a large number of government officials.

After last week’s sessions, a well-informed source within the CITC told Mada Masr, speaking on condition of anonymity, that the committee would wait to pass the bill, as the absence of its members in the government-attended sessions would make such a motion unconstitutional. Instead, the bill will be approved in the committee sessions that are being held this week, which its members will attend. The first of these meetings took place yesterday, when five new amendments were approved. Two additional articles are to be discussed in Monday’s subsequent session. Once the bill is approved by the committee, a report on the legislative draft — including the amendments made over multiple sessions — will be submitted to the parliamentary general session and put to a vote at the next general meeting.

ISPs required to protect user data

The definition of “website” and penalties for administrators or websites and online accounts were some of the provisions that sparked the most controversy in the April 10 meeting, and were tabled until April 12.

Article 1 defines a website as, “A virtual domain or place with a specific address on an information network.” The second item in Article 2 stipulates that ISPs shall be required to keep saved and stored data confidential, and shall not disclose it without a substantiated order by a competent judicial authority.

Article 32 of the bill stipulates that, “Any service provider who contravenes the provisions of Item 2 of Paragraph 1 of Article 2 of this law by disclosing, in any way and without permission or an order from a competent investigative authority, the personal data of any of its users, or any other information related to the websites they visit, the private accounts they access, or the the persons or entities they communicate with, shall be penalized with imprisonment for a term of no less than one year and/or a fine of no less than LE5,000 and no more than LE20,000; and multiple fines shall apply in the event of multiple victims.”

The last clause in the article, pertaining to multiple punishment, was the subject of debate. Mohamed Abdel Ghaffar, a representative of the Central Agency for Public Mobilization and Statistics (CAPMAS), Egypt’s national statistics agency, raised an objection, saying that imposing multiple punishments for the same act is unnecessary. However, Judge Mohamed Hegazy, the Communications and Information Technology Ministry’s representative, countered this by saying that multiple punishment only applies in the event that multiple people are affected by the act or crime.

In turn, Judge Haitham al-Baqly, the Justice Ministry’s representative at the April 12 meeting, explained that the article is meant to impose harsher punishment, not multiple penalties, in cases where there are aggravating circumstances. After debate, the article was eventually finalized, with the last clause included as is, but the specification on the disclosure of users’ personal data was removed.

Debate over the clause was first initiated by representatives of the Consumer Protection Authority (CPA). Referring to provisions of the law regulating the CPA’s operations — which allow for it to gain access to any documents or data retained by any entity for the “fulfilment of the purposes for which the CPA was established” — they called for Article 32 to end at the clause forbidding the disclosure of data, thereby removing the clause that provides for the requirement of a substantiated order from a competent investigative authority. Accordingly, the CPA would be able to reach out to websites to gain access to information in the event that it is looking into a complaint from a citizen.

The absence of explicit language determining the CPA’s right to access information would, its representatives said, impede its ability to carry out its duties. They gave several examples, including a complaint against one website that had offered a product for sale for LE100, although its market price is at least LE10,000. By the time the website administrators caught the error, the funds had already been withdrawn from the consumer’s account. The website then cancelled its contract with the consumer. In such cases, the CPA approaches ISPs to gain access to details about the website, its commercial registration and the way it operates.

The CPA’s representatives affirmed that the intention behind their request for amendment is not to access personal data, but rather to be able to protect consumers. Each consumer, the representatives argued, files a request with the CPA, giving it power of attorney to defend them against or through information provided by ISPs. The CPA is keen on protecting the confidentiality of consumers’ data, and the disclosure of personal data merits “the harshest form of punishment” for its officials and affiliates, one CPA representative said.

But Hegazy asserted that the clause would not at all impede the CPA in its duties. Rather, it is meant to enforce constitutional provisions that emphasize the protection of personal data. “Why can’t the CPA,” he said, “request permission from the competent judicial authority, namely the public prosecutor?”

In response to his argument, the CPA’s representatives explained that obtaining permission can be challenging, especially given that website content and data can easily be changed. Meanwhile, the CPA received nearly 5,000 complaints against websites in 2017 alone, its representatives said.

At the end of the discussion, CITC members opted for the protection of personal data and banning the disclosure thereof without a substantiated order from a competent judicial authority, refusing a proposal to authorize investigative bodies to issue substantiated orders.

Stiffer punishment for negligent web administrators

Much of the discussion in the April 10 meeting on the bill focused on the punishment website owners and administrators would face for running afoul of the cybercrime law, specifically as it is outlined in articles 29 and 30.

The law defines a website manager as anyone responsible for organizing, managing, monitoring or maintaining one or more websites on an information network, including administrative users’ access privileges, the website’s design or the creation and organization of its pages or content.

The April 10 meeting lasted three hours and was attended by only four MPs amid the heavy government presence, which included representatives from the ministries of communications and information technology, defense, interior, culture, finance, investment, immigration and expatriate affairs, in addition to CAPMAS, the Cabinet’s Information and Decision Support Center, the Supreme Council for Media Regulation and the Administrative Control Authority. The meeting began with government officials pushing for legislative language that would allow an investigating judge to sentence an offender to death for acts that “threaten national security.”

The proposal, however, was met with opposition from the CITC’s head.

“Increasing sanctions will scare people away from the bill and will make it difficult to approve, especially in cases where the crime was a result of negligence or occurred without the website owner’s intent,” Saeed said during the meeting.

When government officials acquiesced to Saeed’s argument, the discussion shifted to introducing stringent fines and prison terms for infractions.

Wael al-Taweel, a Central Bank representative, requested that websites that publish from abroad be fined in US dollars rather than in Egyptian pounds, a suggestion that was supported by Ahmed Zidan, the CITC secretary, who petitioned for the provision to be added to the article. Saeed, however, stated that the matter would be tabled and potentially included in the law in the future.

Article 7 of the law defines the mechanisms to address websites that publish from abroad, which include blocking access to the website as a form of punishment if the law is violated.

For those who create, run or use a website or a private account on an information network that aims to commit or facilitate a crime punishable by Article 28 of the cybercrime law, the meeting members pushed for harsher punishments: a minimum sentence of two years in prison and/or a fine between LE100,000 and LE300,000.

However, government officials and the few MPs in attendance in the Tuesday meeting were not able to come to a consensus on how to portion out punishment for cybercrimes in cases where liability may be in question. By the close of the April 10 meeting, members decided to postpone discussion on Article 29, which deals with unintentional crimes, and Article 30, which deals with intentional ones, until the April 12 meeting, in which the ministries of justice and communications were tasked with rephrasing their language.

Article 29 concerns the punishment of a person responsible for the administration of websites, personal accounts or email, in the event of tampering with digital evidence in one of the crimes set forth in the law.

There was a lengthy discussion before the meeting’s members arrived at this formulation, at the close of which it was concluded that “if an individual responsible for a website or private account, email or information system tampers with the digital evidence of one of the crimes stipulated by the law with intent to impede the work of authorities, they will face imprisonment for a period of not less than 3 months and a fine of not less than LE20,000, and not more than LE100,000.”

However, there was no consensus on the phrasing of Article 30, which makes provision for the punishment of a person responsible for the administration of a website, personal account, email or information system in the event of a crime that was caused by negligence with a minimum sentence of six months in prison and/or a maximum fine of LE100,000.

The debate that eventually led to the postponement of Article 30 began when Baqly, the Justice Ministry representative, proposed to increase the penalty in Article 29 to six months in prison, where there original language stipulated a three-month term, and to increase the maximum fine to LE200,000 from LE100,000, to account for the contrast in liability.

Hegazy, the Information Technology and Communications Ministry representative, stressed that Article 30 is of particular importance, and needs tougher penalties, stating that six months imprisonment is insufficient, especially as it addresses a vital dimension of increasing information security. The service provider must commit to adequately securing the site they manage, with safety measures such as anti-virus programs, Hegazy argued.

A government representative also pointed out a problem in the penalty laid out in Article 30. Compliance with the law may “not necessarily be the sole responsibility of the website administrator and may be the responsibility of the administrator or developer or operator of the site. Therefore, there must a determination of the responsibility for each person and a penalty specifically assigned to each,” he stated, prompting Saeed to postpone the finalization of both articles.

The issue of portioning out punishment for acts of varying liability was previously a source of debate in discussion of articles 16 and 21, which were passed by the CITC last month. Hassan al-Azhary, director of the Association for Freedom of Thought and Expression’s legal unit, previously told Mada Masr that one of the main issues of the law is its failure to distinguish between crimes borne out of intention and those borne out of negligence. The law treats both violations the same in terms of the penalties it stipulates, which he argued is a grave legislative error repeated throughout the draft law. In Article 16, for example, both “those who intentionally or unintentionally wrongfully access a website or a personal account or information system to which entry is forbidden” can face staunch punishments.

Article 29 and 30 were taken up and finalized in the April 12 session.

The committee decided to amend Article 29, introducing harsher punishment for administrators of websites and private accounts in the event that digital evidence is concealed. The amendment stipulates that, if any administrator of a website, private account, email or information system conceals or tampers with digital evidence, as provided in this law, with the intention of obstructing the work of the competent authorities, they shall be penalized with imprisonment for a term of no less than three months and/or a fine of no less than LE20,000 and no more than LE100,000.

Two amendments were also introduced to Article 30, providing for harsher punishments for website and account administrator in cases of violations borne out of negligence. With the government-proposed amendment, the article now stipulates, “Any administrator of a website, private account, email or information system who makes any of [these media] vulnerable to any crime provided in [this] law shall be penalized with imprisonment for a term of no less than one year and/or a fine of no less than LE20,000 and no more than LE200,000. Anyone whose negligence causes any of [these media] to be vulnerable to any crime provided in [this] law, and such negligence is the result of their lack of caution or failure to take the necessary security measures and precautions provided in the implementing regulations for [this] law, shall be penalized with imprisonment for a term of no less than six months.”

Article 37, which concerns penalties for acting web administrators, was approved without amendment. It stipulates that, if an administrator is proven to have been aware of a crime or facilitated the commission thereof with the purpose of serving his or her own interests or the interests of another, the administrator shall be liable to the same penalty as the principal offender. This applies to cases in which any crime outlined in the law is committed under the name of and on behalf of the legal person.

A court may, Article 37 stipulates, “suspend the legal person’s license to practice for a term of no more than one year. In case of a repeat offense, it may revoke the license or dissolve the legal person, as the case may be. The decision shall be publicized in two widely circulated daily newspapers, and the legal person shall bear the costs thereof.”

Article 39: Protection for bona fide parties

Article 39 pertains to the confiscation of instruments and equipment used to commit any crime provided in the law, in the event of conviction. An amendment was proposed by the Justice Ministry representative with the purpose of protecting bona fide parties, stakeholders who are innocent or act in good faith without knowledge of any fact that would amount to a violation of the law. The CITC approved the proposed amendment, with the intention of outlining specifications for those who qualify to be bona fide parties in the implementing regulations.

The article now stipulates, “Without prejudice to good faith, on conviction of any crime provided in this law, the court shall be required to order the confiscation of instruments, machines, equipment, devices and other tools which may have been used to commit the crime or contribute to the commission thereof. In cases where a license from a government body is required to practice, and the legal person convicted of any crime provided in this law has not acquired such license, it shall be shut down in addition to the penalties prescribed for the crime.”

‘Loose definition of national security:’ National Human Rights Council representative

While articles ranging from Article 31 to Article 39 were approved in the April 10 meeting session, Article 40 of the bill proved controversial for stipulating that a court can dismiss public officials from their positions in the event that they are convicted of an offense under the law. A number of representatives of different ministries attending the meeting objected to this stipulation, arguing that violations need not necessarily result in a dismissal.

The committee ultimately approved a proposal introduced by MP Saeed that would see state officials dismissed from their positions via a court order on a case-by-case basis rather than as an imperative, except in violations that affect Egypt’s national security.

After being amended, Article 40 now states: “The court shall, if it convicts a public official of any of the offenses set forth in this law, during or as a result of the carrying out of duties, remove them from their post.”

Questions of national security were also the topic of a two-hour April 12 evening dialogue session that the CITC convened with members of the National Human Rights Council (NHRC). NHRC members Niveen Mosaad and Yasser Abdel Aziz, among others, attended the meeting with MPs and state officials.

Abdel Aziz voiced objections to authorizing investigative authorities to take the punitive measure of blocking websites that operate in Egypt. Instead, he called for the decision to mete out punishment to be referred to the judiciary, so that websites may not be blocked without a judicial ruling.

Article 7 of the bill authorizes the competent investigative authority to order the censorship of a website, URL or content, whenever technically possible, when evidence arises that a website operating from inside or outside the country has published any phrases, photos, films or any promotional material or the like which constitute a crime, as set forth in this law, and poses a threat to national security or compromises national security or the national economy. Under the article, investigation authorities are obligated to “submit the censorship order to the competent court sitting in chambers within 24 hours of its issuance, accompanied by a legal memorandum which outlines its legal opinion, and the court shall render a decision within 72 hours after the submission of the order approving or rejecting thereof.”

In urgent cases, in which imminent danger or damage could ensue from a crime, an investigation and interdiction entity may inform the National Telecom Regulatory Authority (NTRA) in order for the latter to immediately send notice to ISPs to temporarily block a website. ISPs shall be required to comply with the notice upon receipt. The investigation and interdiction entity which triggered the notice shall then submit a report to the competent investigative authority within 48 hours, noting the procedure that had been conducted. If a report is not submitted within this time interval, the censorship order will be considered null and void.

Should the CITC grant authorities this power, Abdel Aziz said, the time interval during which the competent court shall be required to issue a ruling should not be 72 hours. “You are aware that, in the world of information technology, this is a long time.”

Citing Article 71 of the Constitution, Abdel Aziz stated that the move to shut down any media outlet is prohibited. Media websites, he said, are under the jurisdiction of the Supreme Council for Media Regulation. Abdel Aziz also took the opportunity to emphasize the need for a law on the right to access information, as stipulated in Article 68 of the Constitution.

For Abdel Aziz, the cybercrime bill also includes problematic language when it comes to defining national security. He argued during the dialogue session that the definition is too broad, where it should be technical and precise.

In a CITC-chaired meeting on March 13, MPs and state officials endorsed the definition of national security provided in the government’s draft: “All that pertains to the independence, stability, security, unity and territorial integrity of the nation and all that relates to the affairs of the Office of the President, the National Defense Council, the National Security Council, the Armed Forces, the Military Production Ministry, the Interior Ministry, the General Intelligence Service and the Administrative Control Authority and the entities affiliated therewith.”

The bill’s explanatory memorandum, which was drafted by the Justice Ministry, also specifically states that “avoiding ambiguity of definitions” is one of its primary purposes.

According to Abdel Aziz, the definition of national security influences several articles, for example, articles that allow for the censorship of a website for posing a threat to “national security.” “Under the definition provided in the law, what constitutes an offense on the part of the [content] provider? To publish a statement that poses a threat to national security? To promote discrimination? To incite hatred?” he asked.

“What if,” he elaborated, “a news website reports that the head of the state is not a national of the country he is presiding over and that information were true? Would that be a threat to national security?”

But Hegazy affirmed that blocking websites already requires an order from the competent court and that the investigative authority is required to submit any requests to censor a website or URL to the court for review, along with a memorandum outlining the grounds for its request, and that it is up to the court to uphold or revoke such a block. He also pointed out that it is only in cases of imminent danger or damage that the investigative authority in question may move ahead with a censorship order unilaterally, which would be immediately forwarded from the NTRA to ISPs, in which case the matter is also to be submitted to the competent court for review.

In response to Hegazy’s comment, Abdel Aziz proposed an amendment to Article 7: to replace “order” in the clause stipulating the investigative entity’s authority with regards to the censorship of a website, whenever technically possible, with “request.”

Mosaad endorsed Abdel Aziz’s comment on the definition of “national security” provided in the law, describing it as “loose” and neither specific nor comprehensive. She argued that national security should not be defined by sectors of the state, but rather by indicators. Why would national security, she said, be defined as what relates to the affairs of specific bodies — such as the Office of the President, the National Defense Council and the National Security Council — while certain issues of national security fall within the jurisdictions of several ministries?

“What would happen if a news piece published on a website addresses the performance of Interior Ministry affiliates, for instance?” Mosaad asked, referring to the word “affairs” in the definition. Regarding the succession of web censorship procedures, she continued to say that it would be preferable if court orders are provided as a prerequisite for all web censorship measures under any circumstances; otherwise, the practice would constitute a form of restriction of freedom of thought and expression.

As the meeting was concluded, Saeed promised the NHRC members that their proposed amendments would be considered before the bill is passed by the committee.

Another bill to protect personal data on the horizon?

The cybercrime prevention law will not be the last of the government’s forays into the legislation of Egypt’s digital environment. During the April 12 three-hour meeting, Saeed announced that the Communications and Information Technology Ministry is currently preparing another bill on privacy and the protection of personal data. According to the CITC head, the bill will contain 40 articles and will be submitted by the Cabinet to the legislature within days. Another bill on the protection of intellectual property is also in the pipeline.

The committee agreed in the Tuesday meeting to grant service providers and those who the law addresses a period of one year from the law’s issuance to ensure their compliance. The prime minister will issue the executive regulations of the law within three months from the date it comes into effect.The nearly final version of the cybercrime bill is the latest step in the protracted process of passing cybercrime legislation. MP Tamer al-Shahawy submitted a draft law to the Cabinet’s Proposals and Complaints Committee in May 2016, which bore a distinct resemblance to a bill proposed by the Justice Ministry in March of the previous year. Around the time of the second proposal, several human rights organizations published a report titled “Anti-Technology,” which suggested that Shahawy’s draft “violates the principle of equality before the law and contains penalties regarding the use of information technology.” According to the report, the legislators who drafted the law had an “animosity” toward the internet, adding that should the bill be passed it would essentially lead to “a total ban on internet use.”

Shortly after, inSeptember 2016, the Cabinet’s Legislation Reform Committee offered up another draft. Labeled the “IT crimes law,” it is the most similar to the legislation currently under discussion.